b'Responses to Questions Raised in OMB\xe2\x80\x99s Fiscal Year 2004 FISMA Reporting\nInstructions\n\n(Report No. 04-047, September 30, 2004)\n\nSummary\n\nThe Office of Management and Budget\xe2\x80\x99s (OMB) August 23, 2004 memorandum M-04-25,\nFY 2004 Reporting Instructions for the Federal Information Security Management Act\ndirects agency Chief Information Officers (CIO) and Inspectors General to answer a series\nof questions related to the performance of their respective agency\xe2\x80\x99s information security\nprogram. The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General\xe2\x80\x99s\n(OIG) responses to the OMB questions were based on the results of our recently completed\nindependent security evaluation required by the Federal Information Security Management\nAct (FISMA). We issued a separate evaluation report on September 30, 2004, entitled\nIndependent Evaluation of the FDIC\xe2\x80\x99s Information Security Program-2004 (Report\nNo. 04-046), detailing our FISMA evaluation results. Generally, the independent security\nevaluation report provided a more comprehensive and qualitative assessment of the FDIC\xe2\x80\x99s\ninformation security program and practices than our responses to the OMB questions. Our\nresponses to the OMB questions, together with our independent security evaluation report,\nsatisfy our 2004 FISMA reporting requirements.\n\nThe objective of the audit was to answer specific questions raised in OMB\xe2\x80\x99s fiscal year\n2004 FISMA reporting instructions. Consistent with the results of our independent security\nevaluation, our responses to the OMB questions indicate that the FDIC has taken positive\nactions in a number of key security program areas. Our work did not identify any\nsignificant deficiencies in the FDIC\xe2\x80\x99s information security program that warrant\nconsideration as a potential material weakness as defined by the OMB. However,\nadditional control improvements and associated implementation activities were needed.\n\nManagement Comments\n\nWe provided the Division of Information Resources Management (DIRM) with a draft\nreport summarizing our responses to the OMB questions on September 24, 2004. We also\ndiscussed our responses to the OMB questions with DIRM information security staff and\nmade a number of changes to address their concerns and comments. Because the draft\nreport did not contain formal recommendations, no written response was required from the\nCorporation.\n\x0c'